Browse code
Multiple fixes for SELinux labels.
SELinux labeling should be disabled when using --privileged mode
/etc/hosts, /etc/resolv.conf, /etc/hostname should not be relabeled if they
are volume mounted into the container.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Dan Walsh authored on 2016/05/26 04:59:55Showing 3 changed files
| ... | ... |
@@ -118,7 +118,9 @@ func (container *Container) NetworkMounts() []Mount {
|
| 118 | 118 |
if _, err := os.Stat(container.ResolvConfPath); err != nil {
|
| 119 | 119 |
logrus.Warnf("ResolvConfPath set to %q, but can't stat this filename (err = %v); skipping", container.ResolvConfPath, err)
|
| 120 | 120 |
} else {
|
| 121 |
- label.Relabel(container.ResolvConfPath, container.MountLabel, shared) |
|
| 121 |
+ if !container.HasMountFor("/etc/resolv.conf") {
|
|
| 122 |
+ label.Relabel(container.ResolvConfPath, container.MountLabel, shared) |
|
| 123 |
+ } |
|
| 122 | 124 |
writable := !container.HostConfig.ReadonlyRootfs |
| 123 | 125 |
if m, exists := container.MountPoints["/etc/resolv.conf"]; exists {
|
| 124 | 126 |
writable = m.RW |
| ... | ... |
@@ -135,7 +137,9 @@ func (container *Container) NetworkMounts() []Mount {
|
| 135 | 135 |
if _, err := os.Stat(container.HostnamePath); err != nil {
|
| 136 | 136 |
logrus.Warnf("HostnamePath set to %q, but can't stat this filename (err = %v); skipping", container.HostnamePath, err)
|
| 137 | 137 |
} else {
|
| 138 |
- label.Relabel(container.HostnamePath, container.MountLabel, shared) |
|
| 138 |
+ if !container.HasMountFor("/etc/hostname") {
|
|
| 139 |
+ label.Relabel(container.HostnamePath, container.MountLabel, shared) |
|
| 140 |
+ } |
|
| 139 | 141 |
writable := !container.HostConfig.ReadonlyRootfs |
| 140 | 142 |
if m, exists := container.MountPoints["/etc/hostname"]; exists {
|
| 141 | 143 |
writable = m.RW |
| ... | ... |
@@ -152,7 +156,9 @@ func (container *Container) NetworkMounts() []Mount {
|
| 152 | 152 |
if _, err := os.Stat(container.HostsPath); err != nil {
|
| 153 | 153 |
logrus.Warnf("HostsPath set to %q, but can't stat this filename (err = %v); skipping", container.HostsPath, err)
|
| 154 | 154 |
} else {
|
| 155 |
- label.Relabel(container.HostsPath, container.MountLabel, shared) |
|
| 155 |
+ if !container.HasMountFor("/etc/hosts") {
|
|
| 156 |
+ label.Relabel(container.HostsPath, container.MountLabel, shared) |
|
| 157 |
+ } |
|
| 156 | 158 |
writable := !container.HostConfig.ReadonlyRootfs |
| 157 | 159 |
if m, exists := container.MountPoints["/etc/hosts"]; exists {
|
| 158 | 160 |
writable = m.RW |
| ... | ... |
@@ -142,8 +142,8 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig) (retC *containe |
| 142 | 142 |
return container, nil |
| 143 | 143 |
} |
| 144 | 144 |
|
| 145 |
-func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode) ([]string, error) {
|
|
| 146 |
- if ipcMode.IsHost() || pidMode.IsHost() {
|
|
| 145 |
+func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode, privileged bool) ([]string, error) {
|
|
| 146 |
+ if ipcMode.IsHost() || pidMode.IsHost() || privileged {
|
|
| 147 | 147 |
return label.DisableSecOpt(), nil |
| 148 | 148 |
} |
| 149 | 149 |
|
| ... | ... |
@@ -247,7 +247,7 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf |
| 247 | 247 |
} |
| 248 | 248 |
var err error |
| 249 | 249 |
if hostConfig.SecurityOpt == nil {
|
| 250 |
- hostConfig.SecurityOpt, err = daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode) |
|
| 250 |
+ hostConfig.SecurityOpt, err = daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged) |
|
| 251 | 251 |
if err != nil {
|
| 252 | 252 |
return err |
| 253 | 253 |
} |